Oracle Java Security Challenges - What you need to know

Oracle Java Security Challenges

What You Need to Know

Oracle Java Security Challenges - What You Need to Know

As of April 16, 2019, Oracle changed its Java support policy so that any Oracle/Sun Microsystem Java Standard Edition (SE) – including JRE, JDK etc. on Long Term Support (LTS) release or non-LTS requires a paid license/support or subscription from Oracle for Oracle Java SE Advance/Desktop in order to receive commercial patches including security support. The majority of Java customers worldwide use Oracle Java versions 6, 7, 8 (LTS) and 11 (LTS) so this change is applicable for all customers, whether they are Oracle or non-Oracle shops, and significantly impacts all organizations with unplanned budgets.

Additionally, Oracle has replaced the Binary Code License (BCL) agreement with its standard Oracle Technology Network with Audit clause (OTN) agreement for all Java releases on Oracle Java SE, starting with version 11 onward. We provide you the details below:

Which Version Security Update / Patch Update Requires a Paid Subscription?

Due to Oracle’s support policy changes for Java, customers can’t receive free security updates for Java 8 as of April 16, 2019.  Here an overview of Java patchsets and versions that require a commercial subscription to be able to obtain security patches and updates:

  • Java 6: patchset 45
  • Java 7: patchset 80
  • Java 8: patchset 202
  • Java version underlying OTN Agreement
  • Java 11, 12, 13, 14
  • Commercial features in usage

These Security Patches Have Fixes for Following Vulnerability Issues in General:

  1. Successful attacks on Java vulnerabilities can result in unauthorized updates, inserts or deleted access to some of Java SE, Java SE Embedded accessible data, as well as unauthorized read-access to a subset of Java SE, Java SE Embedded accessible data.
  2. Security issue allowing remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to JavaFX.
  3. Vulnerability allowing unauthenticated attacker with network access via multiple protocols to compromise Java SE and Java SE Embedded.
  4. And many more…

The National Vulnerability Database is a comprehensive source of security vulnerability and patches. A quick check on various Java version 8 patches for security impact is as below:

Version No. of Vulnerabilities Max vulnerability CVSS V2 Base Max vulnerability CVSS V2 Impact Max vulnerability CVSS V2 Exploit Average vulnerability CVSS V2 Base Average vulnerability CVSS V2 Impact Average vulnerability CVSS V2 Exploit Max vulnerability CVSS V3 Base
8 3 9.3 8.6 10.0 6.0 8.6 5.3 0.0
8U201 2 5.0 10.0 2.9 4.7 9.3 2.9 7.5
8U202 5 6.8 10.0 6.4 5.9 8.9 5.0 9.0
8U2111 5 5.8 10.0 4.9 4.2 7.7 3.3 5.3
8U212 7 5.8 10.0 4.9 3.9 7.2 3.2 5.3
8U221 32 5.8 8.6 4.9 4.2 8.0 3.2 6.8
8U231 14 6.8 8.6 6.4 4.9 8.6 3.7 8.1
8U241 20 5.8 10.0 6.4 4.8 8.1 3.8 8.1
8U251 9 5.8 4.9 4.9 4.7 3.9 7.9 4.8

What is Your Java OPEX Impact?

A typical small environment of less than 1,000 desktops and servers with 1,300 cores can have an OPEX outlay as below:

Oracle Java Security Challenges - What you need to know

While a large state environment can have a substantial OPEX impact:

Oracle Java Security Challenges - What you need to know

SoftwareONE Advisory Approach to Address this Challenge

  • Technical assessment to be performed on client machines, servers (Physical/ Virtual), Cloud instances for JRE/JDK installations.
  • Optimization to be performed for bundled Java usage with products from vendors providing Java support - Oracle, IBM, Red Hat, SAP, AWS etc.
  • Assessment of OpenJDK based on Java-based application rationalization.
  • Outcome-based Java subscriptions from vendors like Oracle, Azul systems, IBM/RedHat.

Looking for More?

SoftwareONE’s Oracle and Java global advisory team has years of consulting experience around technology, compliance and commercial advisory. Please reach out to us for the latest in Oracle Java guidance.

Meet the Oracle support team

Reageer op dit artikel

Laat een reactie achter om ons te laten weten wat je van dit onderwerp vindt!

Laat een bericht achter

Auteur

Abhiskek Gupta

Abhishek Gupta

Global Oracle / Java Practice Leader

Publisher Advisory | Oracle Global

Related Articles

De nieuwe veranderingen binnen Autodesk

“De afgelopen drie jaar heeft men afscheid genomen van de perpetuele licenties met maintenance contracten” zegt Leon Wauters, Inside Solution Advisor bij SoftwareONE.

windows-7-extended-support

Windows 7 Extended Support: Now Is the Time to Take Action!

Microsoft ended support for Windows 7. Find out which far-reaching impact this will have on your environment.

Red Hat Enterprise Linux 6 EOS
  • 10 april 2020
  • Jan van Bruggen
  • Publisher Advisory, Strategic Publisher Services
  • Red Hat, Extended Support

Red Hat Enterprise Linux 6 - End of Support

Op 30 november 2020 eindigt de ondersteuning voor Red Hat Enterprise Linux 6. Vanaf dat moment krijgt deze versie geen ondersteuning meer. Wat kun je doen? Jan van Bruggen bespreekt dit in zijn blog.